Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1471 to the following vulnerability: Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1471 [2] http://bugs.php.net/bug.php?id=49072 [3] http://www.php.net/ChangeLog-5.php Upstream patches / backports: [4] http://svn.php.net/viewvc/?view=revision&revision=287095 [5] http://svn.php.net/viewvc/?view=revision&revision=287102 [6] http://svn.php.net/viewvc/?view=revision&revision=307916 [7] http://svn.php.net/viewvc/?view=revision&revision=307917
Public PoC from [2]: ==================== $o = new ZipArchive(); if (! $o->open('test.zip',ZipArchive::CHECKCONS)) { exit ('error can\'t open'); } $o->getStream('file2'); // this file is ok echo "OK"; $r = $o->getStream('file1'); // this file has a wrong crc while (! feof($r)) { fread($r,1024); } echo "never here\n"; ?>
This issue did NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the version of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue does NOT affect the versions of the php package, as shipped with Fedora release of 13 and 14 (particular package updates have been already scheduled).
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Statement: (none)